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(54) Gateway for supporting communications between network devices of different private 
networks 



(57) , Disclosed is a gateway under Home-to-Home 
Tunnelling Initiation Protocol (HTIP), for supporting 
communications between network devices connected 
to different private networks. When a tunnel setup re- 
quest message is received from a host being connected 
to a first private network to a second private network be- 
ing connected to a public network, a HTIP processor be- 
longing, to a control unit of the gateway communicates 
with the gateway of the second private network, nego- 
tiates necessary information, and sets up a VPN tunnel 
utilizing; the information. If the private networks have 
identical network address, or if network address of one 



private network is included In the network address of the 
other, a new network address table is created such that 
the two private networks can use different network ad- 
dresses in the VPN tunnel. With respect to data packets 
being transmitted from the host of the first private net- 
work, or from the second private network, address is 
translated based on the new network address table, and 
therefore, the translated address is forwarded. Because 
a user in home network can utilize a larger coverage of 
network, he/she can actively participate through a vari- 
ety of communities. Additionally, a shortage of IPv4 type 
public IP addresses under is solved. 
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Description 

BACKGROUND OF THE INVENTION 

Field of the Invention s 

■ 

■ 

[0001 ]" The present invention relates to a gateway, 
and more particularly to a gateway for supporting com- 
munications between network devices connected to dif- 
ferent networks. 

Description of the Related Art ' 

[0002] With a recent development of communication 
technology, high-speed data service networks are wide- 
spread. Against this backdrop, more and more compa- 
nies develop and manufacture digital information home 
appliances with networking functions such as refrigera- 
tors, digital TVs and set-top boxes which are connective 
to the Internet. As the home appliances are enabled to 
operate as information terminals with network functions 
added thereto, a new form of network, that is, a home 
network has been developed. 
[0003] ' Electric/electronic products forming a home 
network at home connect to the Internet in wire/wireless 
manner, so that users can transmit and receive informa- 
tion and control electric/electronic products through the 
Internet, regardless of location where he/she is, such as 
homes, remote places and so on. 
[0004] In order to connect electric/electronic products 
to the Internet, new type of network devices are built at 
homes with necessary programs embedded. Among the 
network devices, a home gateway operates to connect 
the home network with the Internet and control the flow 
of the network packets. * 

[0005] * Currently, each home is given one public Inter- 
net Protocof (IP) address from an Internet Service Pro- 
vider (ISP) to' connect to the Internet by using a basic 
home gateway such as ADSL and Cable modem. 
[0006] These conventional home gateways provide a 
simple connecting service which connects one home 
network to the Internet. Meanwhile, a recent trend re- 
quires a' variety of services to be provided through a 
home gateway because a plurality of network devices 
can be used at homes, small office home business (SO- 
HO) arid iri-house work are widespread, and appliances 
automation and remote controls are actively developed. 
However, the conventional home gateways do not sat- 
isfy the current demands. 

[0007] In order to meet the demands of the custom- 
e'rs, a method using private IP addresses has been pro- 
posed for a home network. This method applies the net- 
work address port translation (NAPT) technology to a 
home gateway in order for a plurality of network devices 
of a home network to access the Internet with one 
sharedIP address. . % 

[0008] The problem is that an IP address of a home 
gateway frequently varies, thus requiring a user to find 



out the current IP address every time he/she wants to 
hook up to the home network connected to the Internet. 
In order to solve this problem, a technology has been 
proposed in which a home gateway is given an IP ad- 
dress from an ISP and then a domain name of the home 
gateway and the assigned IP address are registered in 
a dynamic DNS server on the Internet. According to this, 
the user can get access to appliances at his or her home 
through the domain name rather than the IP address. 
[0009] A home gateway is given one IP address from 
an ISP, but, since a plurality of information devices are 
used at home under home network environment, there 
exists a problem that the devices can not be simultane- 
ously connected to the Internet with the shared IP ad- 
dress. Accordingly, private IP addresses are used at 
home, and the NAPT technology is used that connects 
information devices to the Internet by using one shared 
IP address. 

[0010] If there are packets outgoing to the Internet 
from a home, the NAPT translates a private IP address 
of packet source and a source port number into an as- 
signed IP address and a different port number which are 
recorded in an NAPT translation table. If the response 
packets to the above are forwarded to a home network 
from the Internet, the home gateway refers to the NAPT 
table, translates an IP address of packet destination and 
a destination port number into a private IP address and 
a port number, and forwards the response packets to 
the final destination. Packets are abandoned if the pack- 
ets forwarded to a home network from the Internet are 
not recorded in the NAPT table. 
[0011] The use of the NAPT technology enables ac- 
cess to the Internet from a home network. That is, a plu- 
rality of network devices on a private network can get 
access to the Internet by sharing one IP address. How- 
ever, it is impossible for the network devices to get ac- 
cess to a home network from the Internet, which is be- 
cause information is not known in advance such as pri- 
vate IP address and port, home gateway port number, 
IP address and port, and IP protocol, that are recorded 
in the NAPT table in order for packets sent by an outside 
user hooking up to the Internet to be translated and rout- 
ed through a home gateway into a private network. 
[0012] The VPN is a technology applied to a home 
gateway in order for a user hooking up to the Internet to 
be able to get access to network devices from outside. 
VPN may vary depending upon environments and net- 
work hierarchies applied, but, in the home network en- 
vironments, 2-layer tunneling protocols such as PPTP 
and L2TP are widely used. Each home gateway has a 
VPN server, and a remote user connected to the Internet 
operates as a VPN client. The home gateway of each 
home network can operate as a VPN server or a VPN 
client in each home network. First, a VPN client requests 
a VPN server to set up a tunnel by using an IP address 
on the Internet. If the tunnel is set up, the VPN server 
authenticates the VPN client, and allocates to the VPN 
client a private IP address that the client can use inside 
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the home network^ The VPN client creates a virtual net- 
work interface by using the allocated private IP address, 
and the interface is connected to the home network and 
operates like one.network. The IP address of the VPN 
client is.used to set up a tunnel to the VPN server, and 5 
the private IP address is used in the home network con- 
nected through the tunnel. 

[0013] As described above, the application of the 
NAPT and VPN technologies to the home gateway en- 
: ables connections to the Internet through a plurality of 10 
network devices at home, and remote users on the In- 
ternet to connect to. the home network. 
[0014]. Hbwever, the above technologies such as 
NAPT and VPN connect home networks with the Inter- 
net, but have a problem that they can not provide con- 15 
nectiohs between an arbitrary home network and anoth- 
er home nejwork. Because a home network uses private 
IP addresses, a plurality of home networks using differ- 
ent IP addresses may use identical private I P addresses 
at the same time. If a host connected to a home network 20 
transfers data and<the host belonging to the home net- 
work has the identical IP address as a host belonging 
to a remote home network, errors occur upon data trans- 
missions since decision can not be made on a device 
belonging to which home network the data is transmitted 25 
to. • ' 

\ 

SUMMARY OF THE iNVENTION 

[0015] The present invention has been developed in 30 
order to solve the above drawbacks and other problems 
associated with the-conventional arrangement. An as- 
pect of the present invention is to provide a gateway 
which supports communications between network de- 
vices connected to;different private networks. 35 
[001 6] ! THfc above aspect and/or other features of the 
present invention are substantially realized by providing 
a gatewiay, which comprises at least one or more public 
network interfaces connected to public networks; at 
least one or more private network interfaces connected 40 
to private networks; and a control unit. If a tunnel setup 
request is received from a host being connected to a 
first private network to set up a tunnel to a second private 
network v being connected to the public networks, the 
control unit sets up a VPN tunnel by communicating with 45 
a gateway of the second private network. If the second 
private network and the first private network have iden- 
tical network address, or if the network address of the 
first private network is included in the network address 
of the second private network or vice versa, the control so 
unit creates a new network address table in order for the 
first and the second private networks to use different 
network addresses in the VPN tunnel, and translating 
addresses based oh the new network address table and 
forwarding data packets transmitted from the first pri- 55 
vate network or from the host connected to the second 
private network. ^ 

[0017] The control unit comprises a web server for 
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providing a tunnel setup request page in order for the 
host connected to the second private network to request 
the setup of the tunnel; a private network Domain Name 
Server (DNS) processor for obtaining an Internet Proto- 
col (IP) address of the gateway of the first private net- 
work from a DNS connected to the public networks with 
respect to the request of the setup of the tunnel to the 
first private network by the host connected to the second 
private network; a Virtual Private Network (VPN) proc- 
essor operating as a server or a client according to the 
tunnel setup request transferred through the public net- 
work interface or through the private network interface, 
and creating a tunnel to the first private network; and an 
NAT/NAPT processor for translating a private IP ad- 
dress into an IP address or an IP address into a private 
IP address by using a Network Address Port Translation 
(NAPT) protocol with respect to data packets transmit- 
ted to the public network from the first private network 
or vice versa. If a VPN tunnel is set up between the first 
private network and the second private network, the 
control unit translates private IP addresses in the VPN 
tunnel by using a Network Address Translation (NAT) 
protocol. The web server can be replaced with a mid- 
dleware server. 

[0018] If the tunnel setup request to the second pri- 
vate network is transmitted from the host being connect- 
ed to the first private network, the VPN processor sends 
to the gateway of the second private network the tunnel 
setup request message including the network address 
of the first private network and a second network ad- 
dress to be used as the network address of the first pri- 
vate network in the VPN tunnel. If a response to the tun- 
nel setup request, which includes a network address of 
the second private network, the second network ad- 
dress, and a third network address to be used as the 
network address of the second private network in the 
VPN tunnel, is received from the gateway of the second 
private network, the VPN processor sends to the gate- 
way of the second private network an acknowledgement 
(ACK) including the network address of the first private 
network, the network address of the second private net- 
work, the second network address, and the third net- 
work address. The VPN processor creates a private net- 
work connection management table through the proc- 
esses from the generation of the tunnel setup request 
message to the second private network till the transmis- 
sion of the ACK message. The private network connec- 
tion management table includes a network address of 
the first private network, a network address of the sec- 
ond private network, the second network address, and 
the third network address, and may further include a do- 
main name of a gateway of the second private network 
and a server/client state display item according to the 
VPN operations of a gateway of the second private net- 
work. 

[0019] If the VPN processor generates the private net- 
work connection management table, the NAT/NAPT 
processor establishes a Network Address Translation 
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(NAT) for hosts connected to the private networks. 
[0020] If a communication request for a second host 
connected to the second private network is transmitted 
from a'first host connected to the first private network in 
a state that the VPN tunnel to the second private net- 
work is created, the DNS processor enquires to the 
gateway of the second private network about a third net- 
work address of the second host. If a response to the 
inquiry about the third network address of the second 
host is received from the gateway of the second private 
network, the DNS processorsends the third network ad- 
dress of the second host to the first host. 
[0021] If data packets having the third network ad- 
dress of the second host as a destination address are 
transmitted from the first host, the control unit forwards 
the data packets to the gateway of the second private 
network through the VPN tunnel. 
[0022] If the tunnehsetup message including a net- 
work address of the second private network and a sec- 
ond network address to be used as a network address 
of the second private network in the VPN tunnel is re- 
ceived, the VPN processor sends to the second private 
network a response message including a network ad- 
dress of the first private network- the second network 
address, and a third network address to be used as a 
network address of the first private network in the VPN 
tunnel) The VPN processor creates a private network 
connection management table through the processes 
from the reception of the tunnel setup request message 
from the second private network till the reception of an 
ACK message responding to the response message. 
The private network connection management table in- 
cludes a network address of the first private network, a 
network.address of the second private network, the sec- 
ond network address, and the third network address, 
and may further include a domain name of a gateway of 
the second private network and a server/client state dis- 
play iterYi according to VPN operations of the gateway 
of the second private network. 
[0023]^ When the VPN processor creates the private 
network connection, management table as above, the 
NAT/NAPT processor establishes a Network Address 
Translation (NAT) for hosts connected to the private net- 
works with reference to the private network connection 
management table. 

[0024] . If an enquiry into a host connected to the sec- 
ond private network is received from the first private net- 
work, the DNS processor sends as a response a net- 
work address of the host used in the VPN tunnel. 
[0025] If data packets having the third network ad- 
dress of N the host as a destination address are transmit- 
ted from the second private network, the control unit 
sends the received data packets to the host with refer- 
ence to the NAT. 

[0026] 'The control unit comprises a web server for 
providing a tunnel setup request page in order for the 
host connected to the first private network to request the 
setup of the tunnel; a private network Domain Name 



Server (DNS) processor for obtaining an Internet Proto- 
col (IP) address of the gateway of the second private 
network from a Domain Name Server (DNS) connected 
to the public networks with respect to the tunnel setup 

5 request by the host being connected to the first private 
network; a Home-to-Home Tunnelling Initiation Protocol 
(HTIP) processor for transmitting and receiving a tunnel 
setup request message in accordance with the tunnel 
setup request being transmitted through the public net- 

10 work interfaces or transmitted through the private net- 
work interfaces, the tunnel setup request message con- 
taining a necessary parameter for the setup of tunnel 
between the first and the second private networks; a Vir- 
tual Private Network (VPN) .processor operating as a 

15 server or a client, and processing such that the tunnel 
can be set up between the first and the second private 
networks; and an NAT/NAPT processor for translating 
a private IP address into an IP address or translating an 
IP address into a private IP address by using a Network 

20 Address Port Translation (NAPT) protocol with respect 
to data packets transmitted to the public networks from 
the private networks or vice versa. If a VPN tunnel is set 
up between the first private network and the second pri- 
vate network and if address translation is required, the 

25 NAT/NAPT processortranslates private IP addresses in 
the VPN tunnel by using a Network Address Translation 
(NAT) protocol. The web server is replaceable with a 
middleware server. 

[0027] If the tunnel setup request is received from the 

30 host being connected to the first private network to the 
second private network, the HTIP processor sends to 
the gateway of the second private network the tunnel 
setup request message. The tunnel setup request mes- 
sage may include a VPN protocol to be used in the tun- 

35 nel, the network address of the first private network and 
second network addresses to be used in VPN tunnel in- 
stead of the network address of the first private network. 
When the HTIP processor receives a response to the 
tunnel setup request from the gateway of the second 

^0 private network, the HTIP processor sends to the gate- 
way of the second private network an acknowledgement 
(ACK). The response may include a VPN protocol to be 
used in the tunnel, the network address of the second 
private network, third network addresses to be used in 

^5 the VPN tunnel instead of the network address of the 
second private network, the address of the first private 
network, and second network addresses to be used in 
the VPN tunnel instead of the network address of the 
first private network, and the ACK may include the VPN 

so protocol, the network address of the first private net- 
work, the network address of the second private net- 
work, the second network address, and the third net- 
work address. When a READY message, which in- 
cludes a VPN protocol to be used in the tunnel, third 

55 network address to be used in the VPN tunnel instead 
of the network address of the second private network, 
the address of the first private network, and second net- 
work address to be used in the VPN tunnel instead of 
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the network address of the first private network, is re- 
ceived; the HTIP processor sets the VPN processes to 
be a VPN client, and causes the VPN client to be driven. 
[0028] > The HTIP processor generates a private net- 
work connection management table, by going through 
the processes from the generation of tunnel setup re- 
quest message with respect to the second private net- 
work tilf the reception of the READY message. The pri- 
vate network connection management table may in- 
clude a network address of the first private network, a 
VPN protocol of the tunnel, an ID of the tunnel, a network 
address of the second private network, the second net- 
work address and the third network address, and may 
further include a domain name of the gateway of the sec- 
ond private network and a server/client state display 
item wjiich displays server/client state in accordance 
with the VPN operation of the gateway of the second 
private network. 

[0029] The VPN tunnel is formed between the first and 
the second private; networks, and if address translation 
is required at both ends of the VPN tunnel, the HTIP 
processor controls the NAT/N APT processor so that ad- 
dress translation can be set at both ends of the VPN 
tunnel with reference to the private network connection 
management table. 

[0030] . In a state that the VPN tunnel is set up between 
the first and the second private network, if a communi- 
cation request is transmitted from the first host of the 
first private network to the second host of the second 
private network, the DNS processor enquires to the 
gateway of the second private network about the IP ad- 
dress corresponding to the domain name of the second 
host. If a response is received from the gateway of the 
second; private network, the DNS processor transmits 
the received response to the first host. 
[0031] If data packets, which are destined to the IP 
address of the second host, are transmitted from the first 
host, th0 control unit forwards the data packets to the 
gateway of the second private network through the VPN 
tunnel. 

[0032] Jf a tunnel setup request message is received 
from the second private network, the HTIP processor 
transmits a response message to the second private 
network. The tunnel setup request message may in- 
clude a VPN protocol- of the tunnel, a network address 
of the second private network, and second network ad- 
dresses to be used in the VPN tunnel instead of the net- 
work address of the second private network, and the re- 
sponse, message may include the VPN protocol of the 
tunnel, the network address of the first private network, 
third network addresses to be used in the VPN tunnel 
instead of the network address of the first private net- 
work, the network address of the second private network 
and the N secdnd network addresses. 
[0033] If ACK message is received from the second 
private network, the HTI P processor sets the VPN proc- 
essorto be a VPN server, and sends a READY message 
to the gateway of the second private network. The 



READY message may include a VPN protocol of the 
tunnel, a network address of the first private network, a 
third network address to be used in the VPN tunnel in- 
stead of the network address of the first private network, 
5 a network address of the second private network, and 
a second network address to be used in the VPN tunnel 
instead of the network address of the second private 
network. 

[0034] The HTIP processor generates a private net- 
10 work connection management table, by going through 
the processes from the reception of tunnel setup request 
message from the second private network till the trans- 
mission of READY message in response to the re- 
sponse message. The private network connection man- 
's agement table may include a VPN protocol of the tunnel, 
an ID of the tunnel, a network address of the first private 
network, a network address of the second private net- 
work, the second network address and the third network 
address, and may further include a domain name of the 
20 gateway of the second private network and a server/cli- 
ent state display item to display server/client state in ac- 
cordance with the VPN operation of the gateway of the 
second private network. 

[0035] If a VPN tunnel is formed between the first and 
25 the second private networks, and an address translation 
is required at both ends of the VPN tunnel, the HTIP 
processor controls the NAT/NAPT processor such that 
address translation can be set at both ends of the VPN 
tunnel with reference to the private network connection 
30 management table. 

[0036] If an inquiry regarding the host connected to 
the first private network is received from the second pri- 
vate network, the DNS processor transmits a network 
address of the host used in the VPN tunnel as a re- 
35 sponse. 

[0037] If data packets, which, are destined to the third 
network address of the host, are transmitted from the 
second private network, the control unit translates the 
destination address of the data packets with reference 

40 to the translation table of the NAT/NAPT processor, and 
transmits the data packets to the host. 
[0038] The gateway according to certain embodi- 
ments of the present invention as described above en- 
ables networking from private networks to the public net- 

45 work (Internet) as well as networking from the Internet 
to the private network, including networking from a pri- 
vate network to a different private network, so users can 
expand a networking range more. 

50 BRIEF DESCRIPTION OF THE DRAWINGS 



[0039] The above aspects and features of the present 
invention will be more apparent by describing certain 
embodiments of the present invention with reference to 
the accompanying drawings, in which: 
[0040] FIG. 1 is a view showing a network structure 
including a gateway according to an embodiment of the 
present invention; 
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[0041]\ FIG. 2 is a schematic block diagram of the 
gateway of FIG. 1 ; 

[0042] FIG. 3 is a signal flow view for explaining a 
process for setting up a VPN tunnel between two private 
networks having different expanded network IDs; 5 
[0043] : FIG. ;4 is "a signal flow view for explaining a 
packet.transfer process between hosts A and B through 
a tunnel between a private network A and a private net- 
work B by a process of FIG. 3; 

[0044] FIG. 5 is a signal flow view for explaining a VPN 10 
tunnel setup process of two private networks having the 
same expanded network IDs; 
[0045] * FIG. 6 is a signal flow view for explaining a 
packet transfer process between a host A and a host B 
through^ tunnel set up between a private network A and 15 
a private network B by a process of FIG. 5; 
[0046] FIG. 7 is a signal flow view for explaining a VPN 
tunnel setup process between two private networks 
when an expanded network ID of the private network A 
is included in an expanded network ID of the private net- 20 
work B; 

[0047] FIG. 8 is a schematic block diagram of the 
gateway according to another embodiment of the 
present invention; 

[0048] "• FIG. 9 is a signal flow view for explaining a VPN 25 
tunnel setup process between two private networks with 
different expanded network Ids; 
[0049] FIG. 10 is a signal flow view for explaining a 
packet transfer process between host A and host B 
through.the tunnel^set up therebetween by the process 30 
shown in FIG. 9; V 

[0050] FIG. 11 is a signal flow view for explaning a 
VPN tunnel setup process between two private net- 
works with expanded network IDs matching with each 
other; 35 
[0051] FIG. 12 is a signal flow view for explaining a 
packet transfer process between host A and host B 
through a the tunnel set up therebetween by the process 
shown in FIG. 11; and 

[0052] FIG. 13 Is a signal flow view for explaining a *o 
VPN tunnel setup process between two private net- 
works A and B when the expanded network ID of the 
private network A is included in the expanded network 
ID of the private network B. 

v 45 
DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

[0053] . Certain embodiments of the present invention 
will be described in greater detail with reference to the so 
accompanying drawings. 

[0054] N ln the following description, same drawing ref- 
erence Numerals are used for the same elements even 
in different drawings. The matters defined in the descrip- 
tion such as a detailed construction and elements are 55 
nothing but the ones provided to assist in a comprehen- 
sive understanding of the invention. Thus, it is apparent 
that the present invention can be carried out without 



those defined matters. Also, well-known functions or 
constructions are not described in detail since they 
would obscure the invention in unnecessary detail. 
[0055] Additionally, a single reference number may be 
used to represent a plurality of elements in the descrip- 
tion. 

[0056] FIG. 1 is a view showing a network structure 
including home gateways according to an embodiment 
of the present invention. The network includes private 
networks 200A and 200B, access networks, and the In- 
ternet 300. The private networks 200A and 200B have 
private network hosts 21 OA and 21 0C and private hosts 
21 0B and 21 0D connected therein, respectively, and a 
DNS server 330 and a plurality of public network hosts 
31 0 and 320 are connected to the Internet 300. The pri- 
vate networks 200A and 200B and the Internet 300 are 
connected to each other through the access networks 
including the ISPs 150 and the home gateways 100A 
and 100B. 

[0057] The home gateways A and B (1 00A and 1 00B) 
connecting the private networks A and B (200A and 
200B) and the Internet 300 is each assigned an IP ad- 
dress from each of the ISP 150 and registers the as- 
signed IP address to a DNS server 330 connected to 
the Internet. The home gateways A and B (100A and 
1 00B) each provide services through an N APT protocol 
and a VPN so that the hosts A, B, C and D (21 OA, 21 0B, 
21 0C and 21 0D) on each private network and the hosts 
31 0 and 320 connected to the Internet 300 can commu- 
nicate with one another. Further, the home gateways 
100 provide services in order for the hosts A and C 
(21 OA and 21 0C) on one of the private networks A and 
B (200A and 200B) to mutually communicate with the 
hosts B and D (21 0B and 21 0D) connected to the other 
of the private networks A and B (200A and 200B). Ac- 
cordingly, upon a connection request from one host (for 
example, a host A) on a private network A (200A, for 
example) to another host (for example, a host B) of the 
private network B (200B, for example), the home gate- 
way A (100A) creates a VPN tunnel to a counterpart 
home gateway B (1 00B) for communications, and differ- 
ent private IP addresses to be used for the VPN tunnel 
are allocated to the hosts 21 0 connected to the respec- 
tive private networks A and B (200A and 200B) so that 
the host A (21 OA, for example) or the host C (21 0C, for 
example) connected to the private network A (200A, for 
example) can mutually communicate with the host B 
(21 0B, for example) or the host D (21 0D, for example) 
connected to the private network B (200B, for example) 
through the NAT at both ends of the tunnel. 
[0058] FIG. 2 is a block diagram for showing a gate- 
way according to an embodiment of the present inven- 
tion. The gateways 100 each include a public network 
interface 1 1 0, a private network interface 1 20, a memory 
unit 130, and a control unit 140. 
[0059] At least two or more interfaces are provided as 
above, and at least one of them is a public network in- 
terface, and at least one of them is a private network 
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interface. The public network interface 110 is physically 
connected Jo the Internet 300 by ADSL, Cable modem 
or Ethernet, and has one IP address allocated from the 
ISP 150. The private network interface 120 can be con- 
figuredNwith Ethernet, wireless LAN, or home PNA in 
wire and/or wireless manner, and the control unit 140 
has private IP addresses. The network addresses used 
for a private network^re randomly selected out of ad- 
dresses allowed for use by the Internet Assigned Num- 
bers Authority (I AN A). 

[0060] The memory unit 1 30 stores programs related 
to the system operations and newly generated and up- 
dated data. y 

[0061] The control unit 140 has an NAT/NAPT proc- 
essor .1 41, an Internet Protocol (IP) processor 142, a 
Domairj Name Service (DNS) processor 1 43, a Dynamic 
Host Configuration Protocol (DHCP) processor 144, a 
router 145; a VPN processor 146, a web/middleware 
server 147, an encryption processor 148, and a user au- 
thentication processor 149. 

[0062] The NAT/NAPT processor 141 translates a pri- 
vate IP address into an IP address for packets trans- 
ferred from a private network to the Internet or from the 
Internet to aprivate network, or translates an IP address 
into a private address. Further, the NAT/NAPT proces- 
sor 141 uses the NAT protocol to translate addresses in 
a VPN^tunnel in case' those private networks are con- 
nected to each other by using the VPN tunnel. The NAT/ 
NAPT processor 141 continuously generates and up- 
dates NAT and NAPT tables of the memory unit 130. 
[0063] The IP processor 142 processes an IP data- 
gram (or anIP packet) transferred from the public inter- 
face 110 and the private network interface 120. 
[0064] The router 1 45 sets up an optimum path an ex- 
ternal host connected to the public network and a host 
connected to a private network. The router 1 45 contin- 
uously generates and updates a routing table of the 
memory unit 130. 

[0065] ; The DNS S processor 146 manages domain 
names and privateJP addresses for hosts inside a pri- 
vate network. Further, if there occur inquiries into hosts 
outside a private network from hosts inside the private 
network, the" DNS processor 146 obtains answers from 
the DNS server 330 on the Internet or a home gateway 
located on a previous stage of the other private network 
for responses. The NDS processor 1 46 manages a DNS 
table related to hosts inside a private network. 
[0066] The DHCP processor 144 responses to re- 
quests of hosts inside aprivate network for available pri- 
vate IP addresses, gateway address, DNS processor 
address, and so on, .when network devices inside a pri- 
vate network boots. The DHCP processor 144 acquires 
a domain name of a host as part of a response to a host's 
request, and transfers the acquired domain name to the 
DNS processor 146, to generate and update the DNS 
table. 

[0067] The web/middleware server 147 provides a 
way that a user of a private network can request a setup 
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of a tunnel to a different private network. The user can 
request the service by using a web browser or a middle- 
ware client. 

[0068] The VPN processor 146 operates as a VPN 
5 server with respect to hosts on the Internet, or operates 
as a VPN server or a VPN client to enable connections 
to different private networks. Further, if a host inside a 
private network requests a connection to a different pri- 
vate network through the web/middleware server 147, 
to the VPN processor 146 sets up a VPN tunnel by com- 
municating with the different private network, and sets 
up an NAT at the end of the VPN tunnel based on a net- 
work address of the private network. Information neces- 
sary for connections to other private networks is man- 
's aged by generating a private network connection man- 
agement table, and data generated in table is stored in 
the memory unit 130. The private network connection 
management table includes network address of a self- 
private network, network addresses of other private net- 
20 works, network addresses of self- private network to be 
used in a VPN tunnel, and network addresses of other 
private networks to be used in the VPN tunnel, and can 
further include server/client state display items accord- 
ing to a domain name of a counterpart private network 
25 gateway and VPN operations of the counterpart private 
network gateway. 

[0069] The encryption processor 148 encrypts pack- 
ets communicating between a private network and a 
public network or between a private network and anoth- 

30 er private network. 

[0070] The user authentication processor 1 49 carries 
out an authentication process on external users who 
want to get access to a private network from a public 
network or users who get access for configuration 

35 changes and the like to a private network gateway. 
[0071 ] When setting up a VPN tunnel to a different pri- 
vate network, the above gateway carries out operations 
corresponding to each of three occasions as follows. 
Descriptions will be made on the individual occasions 

to with reference to FIG. 1 . 

[0072] First, there may exist an occasion that expand- 
ed network IDs (multiplication' of a network ID and a sub- 
net mask) of the private network A (200A, for example) 
and the private network B (200B, for example) are dif- 

45 ferent from each other. For example, when a network ID 
of the private network A (200A, for example) is set to 
10.0.0.0/24 and a network ID of the private network B 
(200B, for example) is set to 10.0.1.0/24 (case 1), an 
expanded network ID of the private network A (200A, 

so for example) becomes 10.0.0.x, and an expanded net- 
work address of the private network B becomes 
10.0.1 .x, so they become different from each other. In 
this occasion, the private network A and the private net- 
work B can communicate with each other only with a 

55 setup of a VPN tunnel. 

[0073] Second, there may exist an occasion that ex- 
panded network IDs of the private network A and the 
private network B are identical to each other (case 2). 
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For example, when the network IDs of the private net- 
work A and the private network B are all set to 
10.0.0.0/24, all the expanded network IDs of the private 
network A (200A, for example) and the private network 
B (200B, for example) become 1 0.0.0.x so that they are 5 
identical to each other. In this case, if the host C (21 0C) 
has the same IP address as the host B (21 0B) has when 
the host A : (210A, for example) on the private network 
A (200A) tries to send packets to the host B (21 OB, for 
example) on the private network B (200B), the home io 
gateway A (1 00A) generates a transmission error since 
it does not know where to send packets transferred from 
the host A (21 OA), the host B (21 0B) or the host C 
(21 OC), so that no communications are made between 
the two private networks, Accordingly, in this occasion, 15 
a new IP address is assigned which can be used in a 
tunnel set up between the private network A (200A) and 
the private network B (200B). For example, the private 
network A is assigned a network address of 1 0.0.1 .0/24, 
and the private network B is assigned a network address 20 
of 1 0.d.2.0/24, and the NAT is carried out at both ends 
of the yPN'tunnel. As a result, viewing the hosts 21 0B 
and 21 QD dp the private network B (200B) from the pri- 
vate network A (20QA), the hosts on the private network 
B (200B) are' recognized with a network address of 25 
10.0.2!x, and, wheh viewed from the private network B 
(200B)~the hosts 21 OA and 21 OC on the private network 
A (200A) are recognized with a network address of 
10.0.2.y, so that mutual communications can be made 
betweert the hosts 21 OA and 21 OC of the private net- 30 
work A (200A) and the hosts 21 OB and 21 OD of the pri- 
vate network B (200B). 

[0074] Third, there may exist an occasion that and 
network ID of the private network A is included in a net- 
work ID of the private network B. For example, when the 35 
private;rietwork A (200A) is given 10.0.0.0/24 and the 
private network B (200B) is given 1 0.0.0.0/1 6 (case 3), 
an expanded network ID of the private network A (200A) 
becomes 1 6,0.0.x arid an expanded network ID of the 
private network B (200B) becomes 1 0.0.x.x so they are 40 
different from each other, but the 10.0.0.x is included as 
part of io.O.x.x. Even in this occasion, a VPN tunnel is 
created between the private network A (200A) and the 
private,)ietwork B (200B), network addresses are allo- 
cated to the* private network A (200A) and the private 45 
network B (200B) with 10.0.1.0/24 and 10.1.0.0/16 re- 
spectively, and the NAT is carried out at both ends of 
the tunnel. As a result, when viewed from the private 
network A (200A), the hosts on the private network B 
(200B) are' seen with addresses of 1 0.1 xy, and, when so 
viewed from the private network B (200B), the hosts on 
the private network A (200A) are seen with addresses 
of 10.0.1 .z, so that the hosts of the private network A 
(200A) can communicate with the hosts of the private 
network N B (200B). 55 
[0075] In the above three occasions, since different 
expanded network IDs of the private network A (200A) 
and thS private network B (200B) enable communica- 
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tions therebetween through only a setup of a VPN tunnel 
therebetween without additional configurations. 
[0076] Hereinafter, description will be made on a VPN 
tunnel creation and a packet transfer process between 
two private networks according to the above three oc- 
casions. 

[0077] FIG. 3 is a signal flow chart for explaining a 
process for setting up a VPN tunnel between two private 
networks having different expanded network IDs. First, 
a user of the private network A (200A) requests a setup 
of a tunnel to the private network B (200B) on a tunnel 
setup request page provided by a web server 1 47 of the 
gateway A (100A) through a web browser 212 at the 
host A (21 OA), the gateway A (100A) requested to set 
up a tunnel between the private network A (200A) and 
the private network B (200B) acquires an IP address 
(211.32.119.136) of the gateway B (100B) from DNS 
server 330 on the Internet through the DNS processor 
143. Next, the gateway A (100A) launches a client pro- 
gram in the VPN processor 146 and requests a VPN 
processor 1 46' of the gateway B (1 00B) to create a tun- 
nel. In a message requesting a setup of a tunnel be- 
tween private networks is included a network address 
10.0.0.0/24 of the private network A (200A) and network 
addresses (10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24,.) to 
be used instead of network addresses of the private net- 
work A (200A) in the VPN tunnel. At this time, since the 
NAT is not necessary in the VPN tunnel if network ad- 
dresses of the private network A (200A) and the private 
network B (200B) are different, the address 10.0.0.0/24 
of the private network A (200 A) are selected as it is, and, 
in case that expanded network addresses of the private 
network A and the private network B are identical to 
each other, one available out of 10.0.1.0/24, 
10.0.2. 0/24,. .is selected. 

[0078] The gateway B (1 00B), if a message request- 
ing a tunnel creation between private networks from the 
gateway A (100A), transmits a response message on 
the tunnel creation between the private networks from 
the VPN processor 1 46 to the gateway A (1 00A). In the 
response message is included a network address 
10.0.1 .0/24 of the private network B (200B), a network 
address 10.0.0.0/24 to be used instead of a network ad- 
dress of the private network A (200A) in the VPN tunnel, 
and network addresses 10.0.1.0/24, 10.0.2.0/24, 
10.0.3.0/24,.. to be used instead of a network address 
of the private network B (200B) in the VPN tunnel. 
[0079] The gateway A (1 00A) receiving the response 
message transmits an acknowledgement (ACK) of the 
tunnel setup between the private networks to the gate- 
way B (100B). The ACK includes a network address 
10.0.0.0/24 of the private network A (200A), a network 
address 10.0.1 .0/24 of the private network B (200B), a 
network address 10.0.0.0/24 to be used for a network 
address of the private network A (200A) in the VPN tun- 
nel, and a network address 10.0.1 .0/24 to be used for a 
network address of the private network B (200B) in the 
VPN tunnel. At this time, if the address of the private 
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network A (200A) is identical to the network address to 
be used for a network address of the private network A 
(200A)jn the VPN tunnel, it means that the NAT does 
not occur in the VPN tunnel, and, if not identical, it 
means that the NAT occurs. 

[0080] N After receiving and transferring the ACK mes- 
sages,; private network connection management tables 
132 and 132! are generated in the gateway A (100A) 
and the gateway B (1 00B), respectively. The private net- 
work connection management table 132 includes a do- 
main name of a counterpart gateway, an item indicating 
whether the counterpart gateway, is a VPN server or a 
VPN client, a network address of the private network A 
(200A), a network address of the private network B 
(200BJ) a network address to be used for a network ad- 
dress of the.private network A (200A) in the VPN tunnel, 
a network address to be used for a network address of 
the private network B (200B) in the VPN tunnel, and so 
on. 

[0081] A table that the gateway A (100A) generates 
include^ a domain name (gateway B) of the gateway B 
(100B),\an item (server) indicating that the gateway B is 
a VPN server, a network address (10.0.0.0/24) of the 
private network A, a network address (10.0.0.0/24) of 
the private network A, a network address (10.0.1.0/24) 
of the; private network B, a network address 
(10.0.0.0/24) to be used for a network address of the 
private network A in the VPN tunnel, a network address 
(10.0.1.0/24) to be used for a network address of the 
private network B in the VPN tunnel, and so on. 
[0082] ; As above, if an ACK signal is exchanged be- 
tween the tw s o private networks, a VPN tunnel is created 
between the gateway A (100A) and the gateway B 
(100B), and a PPP'connection is established in the tun- 
nel. Thereafter, packets transmitted to the end of the 
VPN tunnel of the gateway A (1 00A) from the host A 
(21 OA) is transferred to the end of the VPN tunnel of the 
gateway B (100B) through the PPP connection. 
[0083] FIG. 4 is a signal flow view for explaining a 
packet transfer process between the host A (21 OA) and 
the host B (21 0B) through a tunnel set up between the 
private network A (200A) and the private network B 
(200B) by the process of FIG. 3. First, a user of the pri- 
vate network A (200A);knows a domain name of the host 
B (21 OA), and an application program installed in the 
host A (21 OA) transmits a DNS enquiry to the gateway 
A (1 00A) in order to know an IP address corresponding 
to the domain name of the host B (21 0B). Accordingly, 
the DNS processor 143 of the gateway A (100A) looks 
up the private network connection management table 
132. If a VPN tunnel is established between the private 
network A (200A) and the private network B (200B), the 
DNS processor 143 send to the gateway B (100B) the 
DNS enquiry into the host B (21 0B). Thereafter, the DNS 
processor 143 of the gateway A (1 00A) looks up the pri- 
vate network connection management table 132 first. 
Further/if there is a VPN tunnel established between 

^ * 

the private network A (200A) and the private network B 
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(200B), the DNS enquiry into the host B (21 0B) is sent 
to the gateway B(100B). 

[0084] If the DNS enquiry is transferred from the gate- 
way A (100A) to the gateway B (100B) as above, the 
5 DNS processor 1 43' of the gateway B (1 00B) transfers 
to the gateway A (100A) a response message with a 
network address 10.0.1.5 indicating the host B (210B) 
in the VPN tunnel instead of a network address of the 
host B (21 0B). 

10 [0085] The gateway A (1 00A) forwards to the host A 
(21 OA) a private IP address 10.0.1.5 responded to the 
host B (21 0B) from the DNS processor 1 43' of the gate- 
way B(100B). 

[0086] If a private IP address of the host B (21 0B) is 
15 received from the gateway A (1 00A), the host A (21 OA) 
transmits packets to the gateway A (1 00A) by writing the 
received private IP address (1 0.0.1 .5) for a destination 
address and the private IP address (1 0.0.0.4) of the host 
A (21 OA) for a source address. 
20 [0087] The gateway A (1 0OA), if packets are received 
from the host A (21 OA), transfers the received packets 
to the end of a tunnel of the gateway A (1 00A) with ref- 
erence to a routing table 145 and a forwarding setting. 
Since a PPP connection is set in the VPN tunnel be- 
25 tween the gateway A (1 00A) and the gateway B (1 00B), 
the packets sent to the end of a tunnel of the gateway 
A (1 00A) is transmitted to the end of a tunnel of the gate- 
way B(100B). 

[0088] The gateway B (1 00 B), if the packets aretrans- 
30 ferred through the VPN tunnel, forwards the packets to 
the host B (21 0B) with reference to a routing table 145' 
and a forwarding setting. 

[0089] The host B (21 0B), if the packets are received, 
sends a response by writing a private IP address 
35 (1 0.0.1 .5) of the host B (21 0B) for the source address 
and a private IP address (1 0.0.0.4) of the host A (21 OA) 
for the destination address. 

[0090] Thereafter, the host A (21 OA) and the host B 
(21 0B) repeats the above packet transfer process 

40 through the tunnel formed between the private network 
A (200A) and the private network B (200B). 
[0091] FIG. 5 is a signal flow view for explaining a 
process for a VPN tunnel setup process of two private 
networks having the same expanded network IDs. First, 

45 if a user of the private network A (200A) requests a setup 
of a tunnel to the private network B (200B) on a tunnel 
setup request page provided by the web server 147 of 
the gateway A (1 00A) through the web browser 212 in 
the host A (21 OA), the gateway A (100A) receiving a re- 

50 quest for setting up the tunnel between the private net- 
work A (200A) and the private network B (200B) obtains 
an IP address (211 .32.11 9.136) of the gateway B (100B) 
from the DNS server 330 on the Internet through the 
DNS processor 1 43. Next, the gateway A (1 00A) having 

55 the IP address of the gateway B (1 00B) obtained launch- 
es a client program at the VPN processor 146 and re- 
quests the VPN processor 1 46' of the gateway B (1 00B) 
to create a tunnel between the private networks. A mes- 
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sage requesting a setup of a tunnel between the private 
networks includes a network address (10.0.0.0/24) of 
the private network A (200A) and network addresses 
(10.0.q.0/24, 10.0.1 .0/24, 10.0.2.0/24..) to be used for 
a network address of the private network A (200A) in the 5 
VPN tunnel. 

[0092] -. The VPN processor 146' of the gateway B 
(100B); if a tunnel setup request is received from the 
gateway A (100 A) . transfers to the gateway A (100A) a 
response message to the tunnel setup request between 10 
the private networks. The response message includes 
a network address (10.0.0.0/24) of the private network 
B (200B) and a network address (10.0.1.0/24) to be 
used for a network address of the private network A 
(200A) in the VPN tunnel, and network addresses 15 
(10.0.2:0/24, 10.0.3.0/24, 10.0.4.0/24) to be used for a 
network address of the private network B (200B) in the 
VPN tunnel. 

[0093]' The gateway A (100A), if the response mes- 
sage is received from the gateway B (100B), sends to 20 
the gateway B' (100B) an ACK of the tunnel setup be- 
tween Ihe private networks. The ACK includes a net- 
work address (10.6.0.0/24) of the private network A 
(200A); a network address (10.0.0.0/24) of the private 
network B (200B), a network address (10.0.1.0/24) to 25 
be used for a network address of the private network A 
(200A) in the VPN tunnel, and a network address 
(10.0.2.0/24) to be used for a network address of the 
private network B (200B) in the VPN tunnel. Since the 
address of the private network A (200A) is not identical 30 
to the network address to be used for a network address 
of the private network A (200A) in the VPN tunnel, the 
gateway, A (100A) recognizes that address translations 
are used by an NAT protocol. 

[0094] After receiving and transferring the ACK mes- 35 
sages, private network connection management tables 
132 and 132' are generated in the gateway A (100A) 
and the gateway B (1 00B), respectively. The private net- 
work connection management table 132 includes a do- 
main name of a counterpart gateway 100, an item indi- 40 
eating whether the 'counterpart gateway 100 is a VPN 
server ^r a VPN client, a network address of the private 
network A (200A), a network address of the private net- 
work B (200B), a network address to be used for a net- 
work address of the^private network A (200 A) in the VPN 45 
tunnel, a network address to be used for a network ad- 
dress of the private network B (200B) in the VPN tunnel, 
and so on. 

[0095] A table that the gateway A (100A) generates 
includes a domain name (gateway B) of the gateway B so 
(i 00B), an item (server) indicating that the gateway B is 
a VPN server, a network address (10.0.0.0/24) of the 
private \ network A (200A), a network address 
(1 0.0.0.0/24) of the private network B (200B), a network 
address (1 0.0. 1 .0/24) to be used for a network address 55 
of the private network A (200A) in the VPN tun nel, a net- 
work address (10.0.2.0/24) to be used for a network ad- 
dress of.the private network B (200B) in the VPN tunnel, 

1 
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and so on. 

[0096] Through the above process, a VPN tunnel is 
created between the gateway A (1 00A) and the gateway 
B (100B), and a PPP connection is established in the 
tunnel. Thereafter, packets transmitted to the end of the 
VPN tunnel of the gateway A (1 00A) is transferred to the 
end of the VPN tunnel of the gateway B (1 00B) through 
the PPP connection. 

[0097] If the VPN tunnel is created and the PPP con- 
nection is finished, the gateway A (100A) establishes 
the NAT to the gateway A (1 00A) of the VPN tunnel with 
reference to the private network connection manage- 
ment table 132. If the NAT is established, a source ad- 
dress 10.0.0.x is translated into 10.0.1 .x when packets 
are sent from the private network A (200A) to the VPN 
tunnel through the gateway A (1 00A), and a destination 
address 1 0.0.1 .y is translated into 1 0.O.O.y when pack- 
ets are sent to the private network A from the VPN tunnel 
through the gateway A (100A). Further, the gateway B 
establishes the NAT at the gateway B of the VPN tunnel. 
[0098] FIG. 6 is a signal flow view for explaining a 
packet transfer process between the host A (21 OA) and 
the host B (21 0B) through a tunnel set up between the 
private network A and the private network B by the proc- 
ess of FIG.3. First, a user of the private network A (200 A) 
knows a domain name of the host B (21 0B), and, if an 
application program installed in the host A (21 OA) trans- 
mits to the gateway A (100A) a DNS enquiry into the 
host B (21 0B), the DNS processor 143 of the gateway 
A (1 00A) looks up the private network connection man- 
agement table 132. Further, if a VPN tunnel is estab- 
lished between the private network A (200A) and the pri- 
vate network B (200B), the DNS processor 143 sends 
the DNS enquiry to the gateway B (100B) in order to 
know a private IP address to be used in the VPN tunnel 
of the host B (21 0B) since it is recognized that the NAT 
is necessary for the packets passing through the tunnel. 
[0099] The DNS processor 143' of the gateway B 
(1 00B), if an enquiry into the host B (21 0B) is received, 
transfers to the gateway A (1 00A) a response message 
with an IP address to be used in the VPN tunnel of the 
host B (21 0B), and the gateway A (1 00A) sends it back 
to the host A (21 OA). 

[01 00] Thereafter, the host A (21 OA) transfers packets 
to the gateway A (1 00A) in order to sent the packets to 
the host B (21 0B). A destination address for the packets 
is written in 1 0.0.2.5, and a source address is written in 
10.0.0.4. 

[0101] If packets to the host B (21 0B) are received 
from the host A (21 OA), the gateway A (1 00A) transfers 
the packets to the end of the tunnel of the gateway A 
(1 00A) with reference to the routing table and a forward- 
ing setting. The source address 10.0.0.4 is translated 
into 10.0.1 .4 since the NAT is established at the end of 
the VPN tunnel of the gateway A (100A). The packets 
with the source address translated through the NAT are 
transmitted to the end of the gateway B (1 00B) since the 
PPP connection is established for the tunnel between 
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the gateway A (1 00A) and the gateway B (1 OOB). 
[01 02] The gateway B (1 OOB) translates the destina- 
tion address 10.0.2.5 into 10.0.0.5 through the NAT es- 
tablished at the end of the VPN tunnel of the gateway B 
(1 OOB) with respect ttfthe packets transferred to the end 5 
of the tunnel of the gateway B (100B) with the source 
address translated through the NAT as above. The 
packets having the destination address translated 
through the NAT as above are transmitted to the host B 
(21 OB) with reference to the routing table and the for- 10 
warding setting. / 

[0103]* Thereafter, the host B (210B) sends a re- 
sponse. to the host A (21 OA), and the above packet 
transfer process is repeated for communications. 
[0104] FIG. 7 is a signal flow chart for explaining a w 
VPN tunnel setup process between two private net- 
works in case that an expanded network ID of the private 
network A is included in an expanded network ID of the 
private network B. First, if a user of the private network 
A (200A) requests a setup of a tunnel to the private net- 20 
work B (200B) on a tunnel setup request page provided 
by the web server 1 47 of the gateway A (1 00A) through 
the web browser 212 in the host A (21 OA), the gateway 
A (100A) receiving a request for setting up the tunnel 
between the private network A (200A) and the private 25 
network B (200B) obtains an IP address 
(21 1 .32.1 1 9.1 36) of the gateway B (1 OOB) from the DNS 
server 330 on the Internet through the DNS processor 
143. Next, the gateway A (1 00 A) having the IP address 
of the gate.way B (1 OOB) obtained launches a client pro- 30 
gram at the VPN processor 146 and requests the VPN 
processor of the gateway B (100B) to create a tunnel 
between the private networks. A message requesting a 
setup of a tunnel between the private networks includes 
a network address (1 0.0.0.0/24) of the private network 35 
A and network addresses (10.0.0.0/24, 10.0.1.0/24, 
10.0.2.0/24..) to be used for a network address of the 
private network A in the VPN tunnel. 
[0105] The VPN processor 146' of the gateway B 
(100B), if a tunnel setup request message is received *o 
from the gateway A (100A), transfers a response mes- 
sage to/the tunnel setup between the private networks. 
The response message includes a network address 
(10.0.0.0/16) of the private network B (200B) and a net- 
work address (1 0.0.1 .0/24) to be used for a network ad- 45 
dress 61 the private network A in the VPN tunnel, and 
network addresses (10.1.0.0/16, 10.2.0.0/16, 
10.3.0.0/16..) to be used for a network address of the 
private network B in the VPN tunnel. 
[0106] ; The gateway A (100A), if the response mes- so 
sage is^received from the gateway B (100B), sends to 
the gateway B (100B) an ACK of the tunnel setup be- 
tween the private networks. The. ACK includes a net- 
work address (10.0.0.0/24) of the private network A 
(200A), a network address (1 0.0:0.0/1 6) of the private 55 
network B (200B), a network address (10.0.1.0/24) to 
be used for a network address of the private network A 
in the VPN tunnel, and a network address (1 0.1 .0.0/24) 



to be used for a network address of the private network 
B in the VPN tunnel. Since the address of the private 
network A is not identical to the network address to be 
used for a network address of the private network A in 
the VPN tunnel, the gateway A (100A) recognizes that 
the NAT is used. 

[01 07] After receiving and transferring the ACK mes- 
sages, private network connection management tables 
132 and 132' are generated in the gateway A (100A) 
and the gateway B (100B), respectively. The table that 
the gateway A (100A) generates includes a domain 
name of the gateway B (100B), an item indicating that 
the gateway B (100B) is a VPN server, a network ad- 
dress (10.0.0.0/24) of the private network A, a network 
address (10.0.0.0/16) of the private network B, a net- 
work address (1 0.0.1 .0/24) to be used for a network ad- 
dress of the private network A in the VPN tunnel, a net- 
work address (10.1 .0.0/1 6) to be used for a network ad- 
dress of the private network B in the VPN tunnel, and 
so on. 

[0108] Through the above process, a PPP connected 
is set up in a VPN tunnel between the gateway A (1 00A) 
and the gateway B (100B). Thereafter, packets trans- 
mitted to the end of the VPN tunnel of the gateway A 
(1 00A) is transferred to the end of the VPN tunnel of the 
gateway B (100B) through the PPP connection. 
[0109] Next, if the VPN tunnel is created and the PPP 
connection is finished, the gateway A (100A) establish- 
es the NAT at the gateway A (100A) of the VPN tunnel 
with reference to the private network connection man- 
agement table 132. If the NAT is established, a source 
address 10.0.0.x is translated into 10.0.1 .x when pack- 
ets aresent from theprivate network Ato the VPN tunnel 
through the gateway A (100A), and a destination ad- 
dress 1 0.0.1 .y is translated into 1 0.O.O.y when packets 
are sent to the private network A from the VPN tunnel 
through the gateway A (1 00A). Likewise, the gateway B 
(1 OOB) also establishes the NAT at the gateway B of the 
VPN tunnel. 

[0110] If the NAT is established at both ends of the 
VPN tunnel formed between the gateway A (1 00A) and 
the gateway B (100B) as above, the host A (21 OA) and 
the host B (21 0B) can mutually communicate through 
the data packet transfer process of FIG. 6. 
[0111] Hereinbelow, a gateway according to another 
embodiment of the present invention will be described. 
[01 12] FIG. 8 is a block diagram of a gateway accord- 
ing to another embodiment of the present invention. The 
gateway 100 includes a public network interface 110, a 
private network interface 120, a memory unit 130 and a 
control unit 140. 

[0113] The interface 110, the private network inter- 
face 120 and the memory unit 130 have identical oper- 
ations and functions as those described above. The 
control unit 140 includes a Network Address Translation 
(NAT)/NAPT processor 141, an Internet Protocol (IP) 
processor 142, a Domain Name Service (DNS) proces- 
sor 143, a Dynamic Host Configuration Protocol (DHCP) 
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processor 144, a router 145, a HTIP processor 146A, a 
VPN processor 146B, a web/middleware server 147, an 
encryption ^processor 1 48 and a user authentication 
processor 149. 

[0114] , The NAT/NAPT processor 141 , the IP proces- 5 
sor 142, the DNS processor 143, the DHCP processor 
144, the router 145, the web/middleware server 147, the 
encryption processor 148 and the user authentication 
processor 149 have the identical operations and func- 
tions as those described above. 10 
[0115] The HTIP processor 146A negotiates param- 
eters for the creation of tunnel between the other private 
networks, and accordingly controls the VPN processor 
146B and the NAT/NAPT processor 141 using the pa- 
rameters. The useful parameters may include a type of 15 
VPN protocol for use in the creation of VPN tunnel, a 
network address of self- private network, a network ad- 
dress of other private network, a network address of 
self- private network for use in VPN tunnel, and a net- 
work address of the other private network for use in VPN 20 
tunnel , V N 

[01 1 6]' The HTIP processor 1 46A enables direct com- 
munication^ between communication devices of the plu- 
rality of private networks, irrespective of private IP ad- 
dresses or type of VPN protocol being used. The pa- 25 
rameters resulted from the negotiation, or the list of VPN 
tunnels created among the private networks, are stored 
in the memory unit 130. In other words, information nec- 
essary for the connection with the other private networks 
are incorporated into a private network connection man- 30 
agement table, and the tablized data are stored in the 
memory unit 130. 

[0117] s In response to a request delivered through the 
web/middleware server 1 47 from a host of a private net- 
work for a connection to the other private network, the 35 
HTIP processor 146A communicates with the other pri- 
vate networks, negotiates necessary parameters for the 
creation of VPN tunnel, controls the VPN processor 
146B to create VPN tunnel in accordance with the ne- 
gotiated parameters, and controls the NAT/NAPT proc- 40 
essor 141 so that NAT can be set at the end of the VPN 
tunneraccording to the network address of the private 
network.' The private network connection management 
table may include a VPN protocol being used, a network 
address of self- private network, a network address of *5 
the other^ private network, a network address of self-pri- 
vate network to be used in VPN tunnel, and a network 
address of the other private network to be used in VPN 
tunnel. The pVivate network connection managementta- 
ble may additionally include a domain name of the coun- so 
terpart private gateway, and a server/client status indi- 
cating item in accordance with the VPN operation of the 
counterpart private gateway. 

[0118] The. VPN processor 146B operates as a VPN 
server to the host located in the Internet, while operating 55 
as a VP.N server or a VPN client to enable connection 
with other private networks. The HTIP processor 146A, 
if completed negotiation with the HTIP processor 146A' 
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located in the gateway of the other private network, con- 
trols the VPN processor 146B to create a VPN tunnel 
between different private networks. 
[01 1 9] In forming a VPN tunnel between the other pri- 
vate network, the gateway operates differently mainly in 
three cases, which include, first, when the private net- 
work A (200A) has a different expanded network ID from 
the private network B (200B), second, when the private 
network A (200A) has an identical expanded network ID 
with the private network B (200B), and third, when the 
network ID of the private network A (200A) is included 
in the network ID of the private network B (200B). The 
process of creating VPN tunnel and transferring packet 
between two private networks will be described in detail 
below, with reference to the above three cases. 
[0120] FIG. 9 is a signal flow view, which shows the 
process of forming a VPN tunnel between two private 
networks having different expanded network IDs. First, 
a user of the private network A (200A) sends a request 
for a setup of a tunnel to the private network B (200B) 
on a tunnel setup request page provided by the web 
server 147 of the gateway A (100A) through a web 
browser 212. Responding to the request, the gateway 
A (1 0OA) obtains through the DNS processor 1 43 a pub- 
lic IP address 211.32.119.136 of the gateway B (100B) 
from the DNS server 330 located in the Internet. 
[0121] Next, the gateway A (100A) drives HTIPD pro- 
gram at the HTIP processor 146A to request the HTIP 
processor 1 46A of the gateway B (1 00B) to set up a tun- 
nel. The tunnel setup request between private networks 
may include a VPN protocol to be used, such as L2TP, 
and network addresses (10.0.0.0/24, 10.0.1.0/24, 
10.0.2.0/24, ...) to be used in the VPN tunnel instead of 
the network address of the private network A (200A). If 
the private network A (200A) and the private network B 
(200B) have different network addresses, and if the net- 
work address of the private network A (200A) is not used 
to connect the private network B (200B) and a third pri- 
vate network through the VPN tunnel, the network ad- 
dress 1 0.0.0.0/24 of the private hetwork A is directly se- 
lected because there is no need for a NAT in the VPN 
tunnel. If the expanded network addresses of the private 
network A (200A) and the private network B (200B) are 
identical to each other, one available among the ad- 
dresses of 10.0.1.0/24, 10.0.2.0/24, ... is adequately se- 
lected. 

[0122] Upon receiving a request for tunnel setup be- 
tween the private networks from the gateway A (100A), 
the gateway B (1 00B) transmits a tunnel setup response 
message to the gateway A (100A) through the HTIP 
processor 146A. The response message may include a 
VPN protocol to be used, such as L2TP, a network ad- 
dress 10.0.1 .0/24 of the private network B (200B), net- 
work addresses (10.0.1.0/24, 10.0.2.0/24, 
1 0.0.3.0/24, ...) to be used in the VPN tunnel instead of 
network address of the private network B (200B), a net- 
work address 10.0.0.0/24 of the private network A 
(200A), and a network address 10.0.0.0/24 to be used 
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in the VPN tunnel instead of the network address of the 
private network A (200A). 

[0123] Upon receiving a response message, the gate- 
way A (1 00A) transmits a tunnel setup ACK to the gate- 
way B^(100B). The ACK message may include a net- 5 
work address 10.0.0.0/24 of the private network A 
(200A), a. network address 10.0.1.0/24 of the private 
network B (200B), and a network address 10.0.0.0/24 
to be used in the VPN tunnel instead of the network ad- 
dress of the private- network B (200B). If the address of 10 
the private ftetwork A (200A) is identical to the network 
address, which is to be used in the VPN tunnel instead 
of network address of private network A (200A), NAP 
does not occur in the VPN tunnel, while NAP occurs 
when the network addresses do not match with each is 
other. 

[0124] . After the ACK messages are sent out and re- 
ceived, private network connection management tables 
132 and 132* are created at the gateway A (100A) and 
the gateway B (1 00B). The private network connection 20 
management table 132 may include a domain name of 
a counterpart gateway, a VPN protocol being used such 
as L2TP; a funnel ID between the private networks, an 
item indicating whether the counterpart gateway is VPN 
server or client, a network address of the private network 25 
A (200A), a network address of the private network B 
(200B), a network address to be used in the VPN tunnel 
instead of the network address of the private network A 
(200A); and. a network address to be used in the VPN 
tunnel instead of the network address of the private net- 30 
work Bx(200B). 

[0125] ; the table'generated by the gateway A (1 00A) 
may include a domain name of the gateway B (100B) 
such as 'gateway B' ( an item (a server) indicating the 
gateway B to be VPN server, a network address 35 
10.0.0.0/24 of the private network A (200A), a network 
address^ 10.0. 1.0/24 of the private network B (200B), a 
network address 10.0.0.0/24 to be used in the VPN tun- 
n'el instead of the network address of the private network 
A (200 A), and a network address 1 0.0.1 .0/24 to be used 40 
in the VRN tunnel instead of the network address of the 
private ^network B (200B). 

[01 26] 1 When the ACK message is received, the gate- 
way B (100B) sets the VPN processor 146B' to be the 
VPN server to create' a VPN tunnel under a VPN proto- *s 
col to be used. If everything is prepared for the tunnel 
creatipn. including the setting of VPN processor 146B' 
as the VPN^server, the HTIP processor 146A' of the 
gateway B (100B) sends out a READY message to the 
gateway A (1 00A), thereby notifying that preparation for so 
the tunnel creation between the private networks has 
been completed. The READY message may include a 
VPN protocol in use, such as L2TP, a network address 
10.0.0.0/24 of the private network A (200A), a network 
address 1 0.0.1 .0/24 of the private network B (200B), a 55 
network^address of the private network A (200A) to be 
used in. the VPN tunnel, and a network address 
10.0.1 .0/24 of the private network B (200B) to be used 
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in the VPN tunnel. 

[0127] When the READY message is received, the 
gateway A (100A) sets the VPN processor 146B to be 
a VPN client of the gateway B (100B) under the VPN 
protocol to be used. The HTIP processor 146A drives 
the VPN client, and as a result, a VPN (L2TP) tunnel is 
created between the gateway A (1 00A) and the gateway 
B(100B). 

[01 28] As described above, after the exchange of the 
ACK signal and READY signal between two private net- 
works, a VPN tunnel is created, and a packet, which is 
transferred from the host A (21 OA) to the end of the VPN 
tunnel of the gateway A (1 00A), is transferred to the end 
of the VPN tunnel of the gateway B (100B). 
[0129] FIG. 10 shows the signal flow in the process of 
packet transfer between the host A (21 OA) and the host 
B (21 0B) through a tunnel formed between the private 
network A (200A) and the private network B (200B). 
First, a user of the private network A (200A) knows the 
domain name of the host B (21 0B), and an application 
program installed in the host A (21 OA) sends out a DNS 
inquiry to the gateway A (1 00A) to find out the I P address 
that corresponds to the domain name of the host B 
(21 0B). Accordingly, the DSN processor 143 of the gate- 
way A (100A) inspects the private network connection 
management table 132. If there is a VPN tunnel set up 
between the private network A (200A) and the private 
network B (200B), the gateway A (1 00A) sends out a 
DSN inquiry about the host B (21 0B) to the gateway B 
(100B). 

[0130] When the DSN inquiry is transmitted from the 
gateway A (100A) to the gateway B (100B), the DSN 
processor 1 43' of the gateway B (1 00B) sends out a re- 
sponse message to the gateway A (1 0OA) with refer- 
ence to the private network connection management ta- 
ble 132'. The response message contains the network 
address 10.0.1.5 which indicates the host B (21 0B) in 
the VPN tunnel instead of the network address of the 
host B (21 0B). Process of sending out DSN inquiry and 
responding to the inquiry is omitted in drawings for the 
conciseness. 

[0131] The gateway A (1 00A) forwards the private IP 
address 10.0.1.5, which is a response from the DNS 
processor 143' of the gateway B (100B) to the host B 
(21 0B), to the host A (21 OA). When the private IP ad- 
dress of the host B (21 0B) is received from the gateway 
A (1 00A), the host A (21 OA) writes the received private 
IP address 10.0.1.5 in the destination address, while 
writing a private IP address 1 0.0.0.4 of the host A (21 OA) 
in the source address. Accordingly, the host A (21 OA) 
transmits packets to the gateway A (100A). 
[0132] When the packet is received from the host A 
(21 OA), the gateway A (100A) transfers the received 
packet to the end of the VPN formed between the gate- 
way A 100A and the gateway B (100B) with reference 
to the routing table 1 45 and forwarding settings, and the 
packet sent to the end of the tunnel of the gateway A 
(1 00A) is transferred to the end of the tunnel of the gate- 
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[0133]* When the packet is transferred through the 
VPN tuhnel' the giteway B (100B) forwards the packet 
to the hosts (21 OB) with reference to the routing table 
1 45' and forwarding settings. s 
[01 34] When the packet is received, the host B (21 OB) 
processes -the received packet, and sends out a re- 
sponse, with writing private IP address 10.0.1.5 of the 
host B (21 OB) in the destination address and writing pri- 
vate IP address 1 0.0.0.4 in the host A (21 OA) in the des- 10 
tin ation address. 

[0135] ^ The host A (21 OA) and the host B (21 OB) con- 
tin uously.repeat the above-mentioned packet transfer- 
ring process between the private network A (200A) and 
the private network B (200B). 15 
[01 36] FIG. 1 1 shows a signal flow, which explains the 
process of forming a VPN tunnel between two private 
networks with identical expanded network IDs. 
[0137] . First, the user of the private network A (200A) 
sendsouta tunnel setup request page, which is provid- 20 
ed by ttie web server 1 47 of the gateway A (1 00A), from 
the host A (21 OA) through a web browser 212, thereby 
requesting to create a tunnel between the private net- 
work A (200A) and the private network B (200B). In re- 
sponse to the request to form a tunnel between the pri- 25 
vate network A (200A) and the private network B (200B), 
the gateway A (1 00A) obtains through the DNS proces- 
sor 143. a public IP address 211 .32.119.136 of the gate- 
way B (1 00B) fronrrthe DNS server 330 which is located 
in the Internet. The process of sending out DNS inquiry so 
and responding to the inquiry is omitted in the drawings 
for the cibnclseness. 

[0138] % When the gateway A (1 00A) obtains the public 
IP address of the gateway B (100B), the gateway A 
(100A) drives the HTIP program at the HTIP processor 35 
146A and requests the HTIP processor 146A' of the 
gateway B (1 00B) to.create a tunnel between the private 
networks. The tunnel setup request between private 
networks may include a VPN protocol to be used such 
as L2TP, a network address 10.0.0.0/24 of the private 40 
network A (200A), and network addresses (10.0.0.0/24, 
10.0.1 .0/24, '10.0.2:0/24, ... ) to be used in the VPN tun- 
nel instead of the network address of the private network 
A(200A). 

[0139] When the HTIP processor 146A' of the gate- 45 
way B (1vOOB) receives a tunnel setup request from the 
gateway A (100A), the gateway B (100B) transmits a 
response message to the tunnel setup request to the 
gateway A (1 00A). The response message may include 
a VPN protopoi to be used such as L2TP, a network ad- 50 
dress 1Q.0.0.0/24 of the private network B (200B), net- 
work addresses (10.0.2.0/24, 10.0.3.0/24, 
10.0.4.0/24, ... ) to be used in VPN tunnel instead of the 
network address of the private network B (200B), a net- 
work address 10.0!0.0/24 of the private network A 55 
(200A), and a network address 10.0.1 .0/24 to be used 
in VPN tunnel instead of the network address of the pri- 
vate network A(20dA). 
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[0140] When the gateway A (100A) receives a re- 
sponse message from the gateway B (100B), the gate- 
way A (100A) sends out an ACK message to the gate- 
way B (100B). The ACK message may include a VPN 
protocol to be used such as L2TP, a network address 
10.0.0.0/24 of the private network A (200A), a network 
address 10.0.0.0/24 of the private network B (200B), a 
network address 10.0.1 .0/24 to be used in VPN tunnel 
instead of the network address of the private network A 
(100A), and a network address 10.0.2.0/24 to be used 
in VPN tunnel instead of the network address of the pri- 
vate network B (200B). Because the network address 
to be used in VPN tunnel instead of the network address 
of the private network A (200A) is different, the gateway 
A (1 00 A) recognizes that address conversion will be tak- 
en place under NAT protocol at both ends of the VPN 
tunnel. 

[0141] After the exchange of ACK message, private 
network connection management tables 132 and 132' 
are created at the gateway A (1 00A) and the gateway 
B (1 00B), respectively. Each private network connection 
management table 1 32 and 1 32* may include a VPN pro- 
tocol in use such as L2TP, a tunnel ID between private 
networks, a domain name of counterpart gateway 100A 
and 100B, an item indicating whether the counterpart 
gateway 100A and 100B is a VPN server or a client, a 
network address of the private network A (200A), a net- 
work address of the private network B (200B), a network 
address to be used in VPN tunnel instead of network 
address of the private network A (200A), and a network 
address to be used in VPN tunnel instead of the network 
address of the private network B (200B). 
[01 42] The table generated by the gateway A (1 00A) 
may include a VPN protocol in use such as L2TP, a do- 
main name of the gateway B (100B) such as 'gateway 
B*, an item (a server) indicating that the gateway B is a 
VPN server, a network address 10.0.0.0/24 of the pri- 
vate network A (200A), a network address 10.0.0.0/24 
of the private network B (200B), a network address 
1 0.0.1 .0/24 to be used in VPN tunnel instead of network 
address of the private network A (200A), and a network 
address 10.0.2.0/24 to be used in VPN tunnel instead 
of network address of the private network B (200B). 
[01 43] When the gateway B (1 00B) receives an ACK 
message, the gateway B (1 00B) sets the VPN processor 
1 46B' to be a VPN server to create a VPN tunnel under 
the VPN protocol in use. When the preparation for the 
tunnel creation between private networks including the 
setting of the VPN processor 146B' to VPN server is 
completed, the HTIP processor 146A' of the gateway B 
(1 00B) sends out to the gateway A (1 00A) a READY 
message, notifying that a preparation of tunnel creation 
between the private networks has been completed. The 
READY message may include a VPN protocol in use 
such as L2TP, a network address 10.0.0.0/24 of the pri- 
vate network A (200A), a network address 10.0,0.0/24 
of the private network B (200B), a network address 
10.0.1 .0/24 to be used in VPN tunnel forthe private net- 
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work A (200A), and a network address 1 0.0.2.0/24 to be 
used in x VPN tunnel for the private network B (200B). 
[0144]^ When the gateway A (100A) receives the 
READy message, the gateway A (100A) sets the VPN 
processor 1 46B to be a VPN client of the gateway B 5 
(100B) under the VPN protocol to be used. When the 
HTIP processor 146A' drives the VPN client, a VPN 
(L2TP).tunhel is created between the gateway A (1 00A) 
and the gateway B (100B). 

[0145]; According to the processes described above, 10 
a VPN tunnel is created between the gateway A (100A) 
and the gateway B (100B), and the packet, which is 
transferred to the end of VPN tunnel of the gateway A 
(100A),.'is transferred to the end of VPN tunnel of the 
gateway B(100B)V 15 
[01 46] When the creation and linking of the VPN tun- 
nel is completed, and after the PPP connection, the 
gateway A (1 00A) sets a NAT at the VPN tunnel toward 
the gateway A (1 00A), with reference to the private net- 
work connection management table 1 32. As the NAT is 20 
set, when the packet is transferred from the private net- 
work A4200A) through the gateway A ( 1 00A) to the VPN 
tunnel, the source address 10.0.0.x is translated to 
10.0.1 .x. When the packet is transferred from the VPN 
tunnel through the gateway A (1 00A) to the private net- 25 
work A; the x destination address 10.0.1 .y is translated 
to 1 O.O.O.y. The gateway B also sets a NAT at the VPN 
tunnel toward the gateway B (100B). 
[0147];; FIG. 12 shows a signal flow, which explains a 
packet transfer process between the host A (21 OA) and 30 
the host B (21 0B) through a tunnel set up between the 
private network A and the private network B by the proc- 
esses shown in FIG. 11. 

[0148] -. First, the user of the private network A 200A 
knows the domain name of the host B (210B). When the 35 
application program 21 4 'installed in the host A (21 OA) 
sends c»ut a DNS inquiry to the gateway A (100A), in- 
quiring about the IP address which corresponds to the 
domain name of the host B (21 0B), the DNS processor 
143 of the gateway A^(100A) inspects the private net- 40 
work connection management table 132. If there is a 
VPN tunnel set up between the private network A (200A) 
and the private network B (200B), as it is recognized 
that a NAT is required for the packets passing through 
the tunnel, a DNS inquiry is sent out to the gateway B 45 
(100B) for ajDrivate^lP address to' be used in the VPN 
tunnel of the host ff (210B). 

[0149]^ When the DSN processor 1 43' of the gateway 
B (100B) receives the inquiry about the host B (21 0B), 
the DSN processor 143' sends out an IP address so 
10.0.2.5 to be used in VPN tunnel of the host B (21 0B) 
as a response message to the gateway A (100A), and 
the gateway A (100A) re-sends the response message 
to the host A (21 OA). The process of sending out DNS 
inquiry and responding to the inquiry are omitted in the 55 
drawings for the conciseness. After that, the host A 
(21 OA) transfers a packet to the gateway A (100A), to 
send the packet to the host B (21 0B). The address 



10.0.2.5 is written as the destination address of the 
packet, and address 10.0.0.4 is written as the source 
address. 

[01 50] When the gateway A (1 00A) receives a packet 
from the host A (21 OA) which is destined to the host B 
(21 0B), the gateway A (100A) transfers the packet to 
the end of the tunnel of the gateway A (100A), with ref- 
erence to the routing table and forwarding settings. Be- 
cause NAT is set in the end of the VPN tunnel of the 
gateway A (1 00A), the source address 1 0.0.0.4 is trans- 
lated to 10.0.1 .4, and the packet with translated source 
address is transferred to the end of the tunnel of the 
gateway B(100B). 

[0151] When the source address is translated through 
the NAT, and therefore, the packet with translated 
source address is transferred to the end of the gateway 
B (1 00B), the gateway B (1 003) translates a destination 
address 1 0.0.2.5 to 1 0.0.0.5 through the NAT set in the 
end of the VPN tunnel. After the destination address is 
translated through the NAT, the packet with translated 
destination address is transferred to the host B (21 0B) 
with reference to the routing table and forwarding set- 
tings. 

[01 52] The host B (21 0B) sends out a response to the 
host A (21 OA), and accordingly, communications are 
performed as the packet transfer process is repeated. 
[0153] FIG. 13 shows a signal flow, which explains the 
process of forming a VPN tunnel between two private 
networks A and B, in which the expanded network ID of 
the private network A is included in the expanded net- 
work ID of the private network B. 
[0154] First, a user of the private network A (200A) 
reads out atunnel setup requestpage, which is provided 
by the web server 147 of the gateway A (100A), at the 
host A (21 OA) through the web browser 212. According- 
ly, in response to the user request for a tunnel creation, 
the gateway A (100A) obtains through the DNS proces- 
sor 143 a public IP address 211 .32.119.136 of the gate- 
way B (1 00B) from the DNS server 330 which is located 
in the Internet. The process of sending out a DNS inquiry 
and responding to the inquiry are omitted in the draw- 
ings for the conciseness. 

[0155] When the gateway A (1 00A) obtains the public 
IP address of the gateway B (1 00B), the HTIP processor 
146A drives HTIP program, and the gateway B (100B) 
requests the HTIP processor 146A' of the gateway B 
(1 00B) to create a tunnel between the private networks. 
The tunnel setup request message may include a VPN 
protocol to be used such as L2TP, a network address 
10.0.0.0/24 of the private network A (200A), and net- 
work addresses (10.0.0.0/24, 10.0.1.0/24, 
10.0.2.0/24, ...) to be used in VPN tunnel instead of the 
network address of the private network A (200A). 
[01 56] The HTIP processor (1 46A') of the gateway B 
(100B) receives the tunnel setup request message fro 
the gateway A (100A) and analyzes the received mes- 
sage. Because the network addresses (10.0.0.0/24, 
1 0.0.1 .0/24, ...), which are to be used in the VPN tunnel 
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instead of. the network address of the private network A 
(200A), are included in the network address of the pri- 
vate network B (200B), the HTIP processor 1 46A' of the 
gateway B'flOOB) sends out a NAK message to the 
gateway A (100A). The NAK message may include a 5 
part of tunnel setup request message from the gateway 
A (100A) to the gateway B (100B) for re-negotiation, 
such as network addresses to be used in VPN tunnel 
ihsteachof network address of the private network A 
(200A)/and a network address 1 0.0.0.0/1 6 of the private 10 
network B (200B). 

[0157] ^ When the HTIP processor 146 A of the gateway 
A (1 00A) receives the NAK message from the gateway 
B (100B), the HTIP processor 146A analyzes the con- 
tent of NAK message, and re-sends out a tunnel setup 15 
request. The second tunnel setup request message 
may include a VPN protocol to be used such as L2TP, 
a network address 10.0.0.0/24 of the private network A 
(200A);, and network addresses (10.2.0.0/24, 
1 0.2.1 : 0/24, ...) to be used in VPN tunnel instead of net- 20 
work address of the private network A (200A). 
[01 58f When the tunnel setup request message is re- 
ceived from the gateway A (100A), the HTIP processor 
146A' of the gateway B (100B) analyzes the received 
request, and if determining it appropriate, sends out a 25 
response message to the request. The response mes- 
sage may include a VPN protocol to be used such as 
L2TP, a)ietwork address 1 0.0.0.0/1 6 of the private net- 
work B (200B), network addresses (10.1.0.0/16, 
10.2.0.0/16/ ...) to be used in VPN tunnel instead of the 30 
network address of the private network B (200B), a net- 
work address 10.0.0.0/24 of the private network A 
(200A),'and a network address 10.2.0.0/24 to be used 
in VPN tunnel instead of network address of the private 
network A (200A). ' 35 
[0159] When a response message is received from 
the gateway B (100B), the HTIP processor 1 46 A of the 
gateway A (100A) analyzes the received message and 
if determining it appropriate, sends out an ACK mes- 
sage tq the gateway B (1 00B). The ACK message may 40 
include a VPN protocol to be used such as L2TP, a net- 
work address 10.0.0.0/24 of the private network A 
(200A), a network, address 10.2'0.0/24 to be used in 
VPN tunnel instead of the network address of the private 
network A (1 00A), a network address 1 0.0.0.0/1 6 of the 45 
private network B (200B), and a network address 
10.1 .0.0/16 to be used in VPN tunnel instead of the net- 
work address of the private network B (200B). Because , 
the network address to be used in VPN tunnel instead 
of the network address of the private network A (200A) so 
is different, it is recognized that the gateway A (100A) 
needs NAT 

[0160] . After the sending out and receiving ACK mes- 
sage, private network connection management tables 
1 32 and 1 32' are created at the gateway A (1 00A) and 55 
the gateway B (1 00B). The table generated by the gate- 
way A (1 00A) may include a VPN protocol in use such 
as L2TP, an ID of tunnel between private networks, a 
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domain name of the gateway B (100B), an item indicat- 
ing that the gateway B (1 00B) is a VPN server, a network 
address 10.0.0.0/24 of the private network A (200A), 
and network address 1 0.0.0.0/1 6 of the private network 
B (200B), a network address 10.2.0.0/24 to be used in 
VPN tunnel instead of network address of the private 
network A (200A), and a network address 10.1,0.0/16 
to be used in VPN tunnel instead of network address of 
the private network B (200B). 
[0161] When the gateway B (100B) receives the ACK 
message, the gateway B (1 00B) sets the VPN processor 
146B' to be a VPN server to create a VPN tunnel under 
the VPN protocol to be used. When the preparation for 
the tunnel setup between the private networks including 
setting of VPN processor 1 46B' as a VPN server is com- 
pleted, the HTIP processor 146A' of the gateway B 
(1 00B) sends out a READY message to the gateway A 
(1 00A), and accordingly informs that the preparation for 
tunnel setup between the private networks has been 
completed. The READY message may include a VPN 
protocol in use such as L2TP, a network address 
10.0.0.0/24 of the private network A (200A), a network 
address 10.0.0.0/1 6 of the private network B (200B), a 
network address 10.2.0.0/24 to be used in VPN tunnel 
for the private network A (200A), and a network address 
1 0.1 .0.0/1 6 to be used in VPN tunnel for the private net- 
work B (200B). 

[01 62] As the READY message is received, the HTIP 
processor 146A of the gateway A (100A) sets the VPN 
processor 146B to be a VPN client of the gateway B 
(1 0OB) under the VPN protocol to be used. When the 
HTIP processor 146A drives the VPN client, a VPN 
(L2TP) tunnel is created between the gateway A (1 00A) 
and the gateway B (100B). 

[0163] As described above, a VPN tunnel is created 
between the gateway A (100A) and the gateway B 
(100B). The packet, which is transferred to the end of 
the VPN tunnel of the gateway A (1 00A), is transferred 
to the end of the VPN tunnel of the gateway B (1 00B). 
[01 64] When the VPN tunnel is created and connect- 
ed, the HTIP processor 146A of the gateway A (100 A) 
sets a NAT at the VPN tunnel toward the gateway A 
(1 00A), with reference to the private network connection 
management table 132. As the NAT is set, when a pack- 
et is transferred from the private network A (200A) 
through the gateway A (100A) to the VPN tunnel, the 
source address 10.0.0.x is translated to 10.2.0.x. When 
a packet is transferred through the VPN tunnel and the 
gateway A (100A) to the private network A (200A), the 
destination address 10.2.0.y is translated to 10.0.0.y. 
The HTIP processor 1 46A' of the gateway B (1 00B) like- 
wise sets a NAT at the VPN tunnel toward the gateway 
B(100B). 

[0165] Because NAT is set at both ends of the VPN 
tunnel between the gateway A (1 00A) and the gateway 
B (100B), the host A (21 OA) and the host B (21 0B) can 
perform mutual communications through the transfer of 
the packets as shown in FIG. 12. 
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[01 66] With the gateway as described with reference 
to one embodiment of the present invention, the cover- 
age of- user utilization on networks is greatly extended 
because it enables connection between private network 
and public network, or between private network and pri- 
vate network. As a result, user convenience increases, 
and a user of home network can more actively commu- 
nicate with users of other home networks through a va- 
riety bf comtnunities. Additionally, information or devic- 
es are shared among the home networks more actively. 
Furthermore, shortage of public IP addresses undercur- 
rent IPv4 environment can be solved, and as a result, 
the overall performance of networks improves. 
[0167]*' The method as described above with refer- 
ence to the second embodiment of the present invention 
is called, 'Home-to-Home Tunnelling Initiation' protocol 
(HTIP). JUnderthe HTIP, information requiredforthecre- 
ation of. VPN tunnel between the private networks can 
be exchanged and negotiated in advance, and there- 
fore, requirements for pre-setting of the VPN tunnel set- 
up can be minimized.. Also, by using the negotiated in- 
formation of the HTIP processor in the controlling of 
VPN processorand NAT/NAPT processor, existing VPN 
protocols such as PPTP or L2TP can be directly used 
without requiring any modification. Under the HTIP, ne- 
gotiation is made in advance and therefore, network ad- 
dresses. of the newly-formed VPN tunnel do not collide 
with the'network addresses of the existing VPN tunnel. 
As a result, setting up the crossing VPN tunnels among 
two or more private networks is enabled. 
[0168] The foregoing embodiment and advantages 
are merely exemplary and are not to be construed as 
limiting the present invention. The present teaching can 
be readily applied to other types of apparatuses. Also, 
the description of the embodiments of the present in- 
vention is intended to be illustrative, and not to limit the 
scope of the claims, and many alternatives, modifica- 
tions, and variations will be apparent to those skilled in 
the art. 



Claims 

* * 

1 . A gateway, comprising: 

> at least on6 or more public network interfaces 

.connected to a public network; 

"at least one or more private network interfaces 
connected to a private network; and 
a control unit for, if a tunnel setup request is re- 
ceived from a first private network to set up a 
tunnel to a second private network being con- 
nected to said public networks, setting up a 
VPN tunnel by communicating with a gateway 

v bf said second private network, wherein, 
If said second private network and said first pri- 
vate network have identical network address, 
or if the network address of said first private net- 
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work is included in the network address of said 
second private network or vice versa, said con- 
trol unitfor creates a new network address table 
in order for said first and said second private 
networks to use different network addresses in 
said VPN tunnel, and translating addresses 
based on said new network address table and 

* 

forwarding data packets transmitted from said 
first private network or from the host being con- 
nected to said second private network. 

2. The gateway as claimed in claim 1 , wherein said 
control unit comprises: 

a web server for providing a tunnel setup re- 
quest page in order for the host connected to 
said first private network to request the setup 
of the tunnel; 

a private network Domain Name Server (DNS) 
processor for obtaining an Internet Protocol 
(IP) address of the gateway of said second pri- 
vate network from a Domain Name Server 
(DNS) connected to said public networks with 
respect to said tunnel setup request by said 
host being connected to said second private 
network; 

a Virtual Private Network (VPN) processor op- 
erating as a server or a client according to said 
tunnel setup request transferred through said 
at least one or more public network interfaces 
or through said at least one or more private.net- 
work interfaces, and creating a tunnel to said 
second private network; and 
an NAT/NAPT processor for translating a pri- 
vate IP address into an IP address or translat- 
ing an IP address into a private IP address by 
using a Network Address Port Translation 
(NAPT) protocol with respect to data packets 
transmitted to said public networks from said 
private networks or vice versa, wherein, 
if a VPN tunnel is set up between said first pri- 
vate network and said second private network, 
translating private IP addresses in said VPN 
tunnel by using a Network Address Translation 
(NAT) protocol. 

3. The gateway as claimed in claim 2, wherein, if said 
tunnel setup request is transmitted from said host 
being connected to said first private network, said 
VPN processor sends out said tunnel setup request 
message to the gateway of said second private net- 
work, and, 

if a response to said tunnel setup request is 
received from the gateway of said second private 
network, said VPN processor sends out an ac- 
knowledgement (ACK) to the gateway of said sec- 
ond private network. 
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4. The gateway as claimed in claim 3, wherein said 
tunnel-setup request message comprise a network 
address of said second private network and a sec- 
ond network address to be used for the network ad- 
dress of said second private network in the VPN 5 
tunnel. 

■< 

5. The gateway as claimed in claim 3, wherein, if said 
tunnel setup request message comprising a net- 
work address of said second private network and a 10 
second.network address to be used in the VPN tun- 

nel as a network address of said second private net- 
work is received, said VPN processor sends to said 
second private network a response message com- 
prising a network address of said first private net- 15 
work, said second network address, and athird net- 
work address to be used in the VPN tunnel as a net- 
work address of said second private network. 

6. The gateway as claimed in claim 2, wherein said 20 
web server is replaceable with a middleware server. 

7. The gateway as claimed in claim 1, wherein said 
control unit comprises: 

25 

/a web server for providing a tunnel setup re- 
quest page in order for the host connected to 
said first private network to request the setup 

-of the tunnel; 

; :a private network Domain Name Server (DNS) so 
processor for obtaining an Internet Protocol 
(IP) address of the gateway of said second pri- 
; vate network from a Domain Name Server 
(DNS) connected to the public networks with re- 
spect to said tunnel setup request by said host 35 
1 being connected to said first private network; 
C a Home-to-Home Tunnelling Initiation Protocol 
v (HTIP) processor for transmitting and receiving 
•\ a tynnel setup request message in accordance 
with said tunnel setup request being transmit- 40 
ted through said at least one or more public net- 
work interfaces or transmitted through said at 
least one or more private network interfaces, 
^said tunnel setup request message containing 
•a necessary parameter for the setup of tunnel *s 
between said first and said second private net- 
works; 

ja Virtual Private Network (VPN) processor op- 
erating as a server or a client, and processing 
such that said tunnel can be set up between so 
said first and said second private networks; and 
• ah NAT/NAPT processor for translating a pri- 
vate; IP address into an IP address or translat- 
ing an IP address into a private IP address by 
using a Network Address Port Translation 55 
, (NAPT) protocol with respect to data packets 
'transmitted to said public networks from said 
private networks or vice versa, wherein, 
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if a VPN tunnel is set up between said first pri- 
vate network and said second private network 
and if address translation is required, said NAT/ 
NAPT processor translates private IP address- 
es in said VPN tunnel by using a Network Ad- 
dress Translation (NAT) protocol. 

r 

8. The gateway as claimed in claim 7, wherein, if said 
tunnel setup request to said second private network 
is received from said host being connected to said 
first private network, said HTIP processor sends 
said tunnel setup request message to the gateway 
of said second private network, and 

if a response to said tunnei setup request is 
received from the gateway of said second private 
network, said HTIP processor sends an acknowl- 
edgement (ACK) message to the gateway of said 
second private network. 

9. The gateway as claimed in claim 8, wherein said 
parameter included in said tunnel setup request 
message to said second private network comprises: 

a VPN protocol to be used in setting up the tun- 
nel; 

a network address of said first private network; 
and 

second network addresses to be used in said 
VPN tunnel as a network address of said first 
private network. 

10. The gateway as claimed in claim 8, wherein, if said 
tunnel setup request message is received from said 
second private network, said HTIP processor sends 
out a response message, 

said tunnel setup request message compris- 
ing a VPN protocol to be used in setting up the tun- 
nel, a network address of said second private net- 
work, and second network addresses to be used in 
said VPN tunnei as a network address of said sec- 
ond private network, and 

said response message comprising a VPN 
protocol to be used in setting up the tunnel, a net- 
work address of said first private network, third net- 
work addresses to be used in said VPN tunnel for 
a network address of said first private network, a 
network address of said second private network, 
and said second network addresses. 

1 1 . The gateway as claimed in claim 8, wherein, if said 
ACK message is received from said second private 
network, said HTIP processor sets said VPN proc- 
essor to be a VPN server, and sends out a READY 
message, notifying said second private network 
that the setting of said VPN processor is completed. 

1 2. The gateway as claimed in claim 1 1 , wherein , if said 
READY message is received from said second pri- 
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vate network, said HTiP processor sets said VPN 
processor to be a VPN client with respect to the 
VPN server of said second private network, and 
drives said VPN client to set up a VPN tunnel be- 
tween said first private network and said second pri- 5 
vate network. . 

13. The gateway as claimed in claim 8, wherein said 
HTIP processQr analyzes said tunnel setup request 
message or said response message from said sec- 10 
ond private network, and if determining said mes- 
sage to be inappropriate, accordingly notifying the 
same by sending out a NAK message to said sec- 
ond private network. 

15 

1 4. The gateway as claimed in claim 1 3, wherein, if said 
NAK message is received in response to said tunnel 
setup request message or said response message 
being transmitted to said second private network, 
said HTIP processor newly sets parameters and pa- 20 
rameter values contained in said messages and re- 
sends said newly-set parameters and parameter 
values to said second private network. 

15. The gateway as claimed in claim 8, wherein said 25 
HTIP processor negotiates in advance the param- 
eters comprising a VPN protocol to be used in set- 
tint) up the tunnel, a network address of said first 
private' network, a second network address to be 
used in said VPN tunnel for a network address of 30 
said first private network, a network address of said 
second private network, a third network address to 

be used in said VPN tunnel for a network address 
of said second private network, such that VPN tun- 
nels are set up simultaneously among said at least 35 
one or more private network while the network ad- 
dresses used in existing VPN tunnels do not collide 
with the network addresses of said VPN tunnel. 

16. The gateway as claimed in claim 7, wherein said *o 
web server is replaceable with a middleware server. 
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